Did Auckland District Health Board overreact to privacy breach?
In the U.S., we expect entities to take strong and effective action to address employee snooping or improper sharing of patient confidential information. But a professional group in New Zealand is not happy with the Auckland District Health Board’s response to a breach previously reported on this blog involving a patient who sought emergency treatment for an eel up his tuchus . His records were shared among staff and somehow made their way to the media, leading to the ADHB disciplining over 30 employees at Auckland City Hospital.
Ruth Larsen reports that the ADHB’s circulation of the privacy agreement has drawn some strong criticism from the executive director of Association of Salaried Medical Specialists:
Particularly objectionable is a clause stating passwords and logins must never be shared, and staff are accountable for all transactions in Auckland DHB information systems under their login/password, he says.
There are often good reasons for other staff members to share patient files, Mr Powell says.
Wait, what? There are good reasons to share patient files, but if you let a colleague access a file under your login and you walk away, do you know what else they’re accessing? How many times have we seen this here – where shared logins or failure to log out led to theft of patient information? The ADHB is correct, in my opinion, to reinforce the importance of not sharing passwords and login credentials.
Under the agreement, staff are also expected to ensure anti-virus software is installed and up-to-date on the computer they are using.
Well, okay, there I might agree with any pushback. That shouldn’t be on employees unless it’s a BYOD, and should rest with the hospital’s IT department.
Sending out the agreement shows a top-down mentality within the DHB, he says.
However, ADHB chief executive Ailsa Claire says in a media statement the privacy agreement is one all staff sign when they begin employment at the DHB.
It is exactly the same document that has been in use since 2008, Ms Claire says. (emphasis added by me)
“We are reissuing it to raise awareness of privacy and the absolute commitment ADHB has to ensuring patients’ records are not inappropriately accessed.”
Ms Claire acknowledges there are “issues” with the form and has given a commitment to work with staff to remedy them.
ASMS members have been advised not to sign the agreement and the association has requested the DHB replace it with a reminder to staff of their obligations regarding privacy.
Note that this was posted on nzDoctor.co.nz. Because they do not include a copy of the agreement, it’s impossible to know exactly what the wording is and what changes might be reasonable to make, but no, it is not enough to just remind staff of their obligations to protect privacy and confidentiality. Employees need to sign agreements, they need to know they are being watched and that their access is being logged and audited, and they need to know that there are consequences for failure to adhere to the privacy policies. The protections are their for the patients, and if staff finds them inconvenient or that they interfere with patient care, start a serious discussion, but it is not effective to just send a reminder as the association is requesting. We have too many breach reports proving otherwise.